Die a Hero, or Live a Villain

Introduction

Among business men and women, there has been an unspoken code. A law that governs behavior and guides choices. From time to time, people brush up against this unspoken code and make their own conclusions. I have done the same. But until now have waited and watched trying not to allow myself to be persuaded to one side or the other until I could see both sides. Some of the best leadership writers in the world speak of the need to lead people from the front. That is to say, people are lead best when inspired and brought alongside leadership. The dangers are apparently clear, however, and are best quoted by the Aaron Eckhart's character "Harvey Dent" in "The Dark Knight." "Fine! You either die a hero, or you live long enough to see yourself become the villain." This dichotomy is what I wish to focus on today. Why can't leaders lead and stay in charge? Why must they die to become a hero (whether literal or figurative)? What could cause them to fall far enough to become a villain?

The Black and White Knights

Christopher Nolan's sweeping narrative of Bruce Wayne's inner struggle and leadership as Batman is the platform I want to use to share my opinions about the aforementioned leadership struggle. We see Bruce become a leader on fighting injustice in Gotham City in "Batman Begins," we learn how his leadership is short lived because he chooses to do things in an "unconventional" and "uncomfortable" way to get the job done. In fact, there is only one rule he has: He will not kill. This kind of stance makes it apparent that he will not sacrifice justice to give criminals due process. He will not allow even the unjust justice system to come between him and his goal. What that looks like as a leader is becoming so obsessed with a goal, an ideal, a standard, a process that we don't care what it takes to get there, or how long, we will get there. We don't care who aligns with us, be it a people with higher moral standards, or those that share the same. We cannot, however, allow those who compromise our goal to become our allies, and certainly not our friends. This is where Bruce made a mistake. I believe, deep down, Bruce wanted Harvey Dent to take the leadership mantle of fighting injustice before he could fully understand what made Dent tick. In fact, we see the Joker push Dent just slightly and cause his world to come crashing around his ears.

When leaders allow themselves to work too closely with people that they don't understand, they expose themselves to risk. Don't get me wrong, there are times when you can misjudge someone, but a fool is one who does not learn from mistakes. What I am talking about directly though, is when people purposefully allow themselves to trust someone more than reason justifies. Allowing someone to get so close that they can manipulate and twist things in your view is allowing someone to get too close. These "Black Knights" fight for a cause, but are so tainted that they cease even holding on to what they once believed in order to win approval from those who are meant to follow them. This danger even exists among peers.
Why can't leaders stay in charge? Are all of us doomed to "die a hero? or become a villain?" These questions are hard. There are, admittedly, many reasons a leader may leave. However, Leaders must understand that there should be precious few people that directly influence your decisions. If we were to look at a model, we could look at a model of Jesus Christ. He lead 12 men from the front, He had an accountability group, he did die a hero and inspired an entire new way of thinking. But he also only allowed 3 people to be closest to him and they still had not direct ability to influence his mission. He did not allow Peter, James, or John to change his mission. Had he, Peter would have had Jesus fighting in armed combat with the Romans, or James and John would have had him fishing for fish instead of men. With this in mind, the "White Knight" is the antithesis of this. Sure that leader may have friends, but he does not allow those friends to change his perspective so easily without knowing how it relates to his mission.

Summary

This short post was to illustrate the dangers of allowing someone to influence too much. Keeping that in mind, there is a leadership structure for a reason. They are not your friend, they are not your buddy, they are your employee. They are there to take orders and leadership from you, not give you orders. If one can discover their mission, and stick to it, allowing people speak to that, but understanding how their opinions play into the mission is the goal. It is not easy, but it is of paramount concern to any leader.

"We're listing Starboard Cap'n:" a look at using lists to control data integrity.

introduction

We live in an age where any individual with the right tool can forge credentials through a facebook token and gain access to banking information from their target. Unlike days of old where one had to be familiar with a specific technology or programming language to implement, one can go out to the internet and use a simple Google search to find any number of tools that will enable the novice (aka Script Kiddie) to mount a precision attack against any number of sites. The worst part of this is

the tools are free and open source

. While most of this is of no surprise to any forward thinking InfoSec analyst, one trending we are seeing more of is User Generated content. People being able to add their two cents to any page on the web. Wikipedia, facebook, twitter, blogs, news pages with comments, youtube, instagram, pinterest; All fundamentally use input from users to guide, drive, and traffic information. However, one alarming note is the general lack of consistent standardization for field validation within sites themselves, let alone across multiple sites and corporations. If one pauses to consider the kinds of internal turmoil that many web properties go through, one can quickly understand HOW this could happen. But it isn't until you go farther down, to the individual developer, page, and field that it starts becoming crystal clear.

a quick note on standards

When a developer starts designing a page for a project, unless there are standards driving that development, it is bound to look like a patchwork quilt. One of the most dangerous areas to be that spotty is security. With that much inconsistency between developers within an organization, it is no wonder that when looking at web development and application development overall, one can see vast differences including differences in similar code. While the creativity of the developer is not the cause of this, it is important to point out that developing blindly without understanding the code base one is pushing their project into is dangerous. From there one has to understand what the most likely attacker profile will be. If one can understand that, they can then greatly reduce the number of vectors for which an attacker will likely gain access.

White, Black, and Red listing

White and black lists are nothing new. The idea of white-listing a server to keep untrusted traffic out is a good concept. However, there is a huge hole in that concept. What happens if the traffic is NOT malicious, but just not on the White list? Let's take the example of Minecraft. In Minecraft multi-player, there are servers setup by various organizations. They also have white-listing as an out of the box feature of the Minecraft multi-player server. They use the white-lists to deter and keep players that are not trusted or well known off. For those that don't use white-listing, there are other systems that monitor and detect player actions by player so that one does not have to read the server logs to find out if players have been doing inappropriate activity. When a player does something that is deemed "inappropriate use" of the world in Minecraft, they are warned, booted from the server, or banned. If white-listing is acceptable players and banning is a black-list, then booting and warning players would be a separate list altogether. Let's bring that back to the world of field validation that we discussed briefly with regards to User Generated content. If one implements a white-list for acceptable values on a field, one also must add a black-list to define what IS NOT appropriate. The black-list is arguably more important than the white list because it defines what is absolutely not allowed in the field.

Ultimately white-listing is no different from or better than black-listing because it is impossible for either humans or computer systems to distinguish good software from bad software.

-Simon Crosby, February, 2013, taken from his blog The difference posed here is knowing your systems, and the information most likely to be targeted. If one can understand that, they can make a better white and black list.

n order to validate the integrity of the input we need to ensure it matches the pattern we expect. Blacklists looking for patterns such as we injected earlier on are hard work both because the list of potentially malicious input is huge and because it changes as new exploit techniques are discovered. Validating all input against whitelists is both far more secure and much easier to implement. In the case above, we only expected a positive integer and anything outside that pattern should have been immediate cause for concern. Fortunately this is a simple pattern that can be easily validated against a regular expression.

-Troy Hunt, May 2010, taken from his website

the red-list

The next concept I would like to put out is the idea of using another list (what I call the "Red List"). Red-listing is for input that is not necessarily malicious, but is suspect because of the context, type, or time the information is presented. An example could be found back with the Minecraft players. Let's say that a player is white-listed and playing on the server, but he starts gathering specific materials needed to make and use TNT (sand, gun-powder) which is not allowed. Because the player is not doing anything inappropriate on the server, he will draw no attention from the server moderators. However, he would be Red-listed. He would be brought to a higher level of awareness and will be allowed to continue. The server moderators may then either pro-actively intervene (by asking the player what they are doing) or wait until the player has created the inappropriate item and warn/boot the player. Red-listing is nothing more than a clearing house for what could be malicious content, but is not overtly so. Just a thought.